This is an automated email from the ASF dual-hosted git repository.
pauls pushed a commit to branch master
in repository
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-feature-cpconverter.git
The following commit(s) were added to refs/heads/master by this push:
new c1271ce SLING-9957, SLING-9975 (#57)
c1271ce is described below
commit c1271cea922190ff0be4198625f8c2b9137bff4a
Author: anchela <[email protected]>
AuthorDate: Wed Jan 20 15:54:23 2021 +0100
SLING-9957, SLING-9975 (#57)
* SLING-9975 : RepPolicyEntryHandler ignores restrictions defined in
jackrabbit2 format
* SLING-9957 : Hardcoded list of restriction names in
RepPolicyEntryHandler.RepPolicyParser
* SLING-10078 : DefaultAclManager does not handle multiple restrictions
correctly.
Co-authored-by: angela <[email protected]>
Co-authored-by: Karl Pauls <[email protected]>
---
.../accesscontrol/DefaultAclManager.java | 5 +--
.../cpconverter/handlers/AbstractPolicyParser.java | 22 ++++++----
.../handlers/RepPolicyEntryHandler.java | 8 ++--
.../handlers/RepPrincipalPolicyEntryHandler.java | 16 +++++---
.../handlers/RepPolicyEntryHandlerTest.java | 48 +++++++++++++++-------
.../RepPrincipalPolicyEntryHandlerTest.java | 2 +-
.../jr2restrictions/.content.xml} | 14 +------
.../jr2restrictions/_rep_policy.xml} | 17 ++++----
.../services/random2/_rep_principalPolicy.xml | 5 ++-
9 files changed, 78 insertions(+), 59 deletions(-)
diff --git
a/src/main/java/org/apache/sling/feature/cpconverter/accesscontrol/DefaultAclManager.java
b/src/main/java/org/apache/sling/feature/cpconverter/accesscontrol/DefaultAclManager.java
index e898d13..1508a78 100644
---
a/src/main/java/org/apache/sling/feature/cpconverter/accesscontrol/DefaultAclManager.java
+++
b/src/main/java/org/apache/sling/feature/cpconverter/accesscontrol/DefaultAclManager.java
@@ -265,9 +265,8 @@ public class DefaultAclManager implements AclManager {
entry.getPrivileges(),
path);
- if (!entry.getRestrictions().isEmpty()) {
- formatter.format(" restriction(%s)",
- String.join(",", entry.getRestrictions()));
+ for (String restriction : entry.getRestrictions()) {
+ formatter.format(" restriction(%s)", restriction);
}
formatter.format("%n");
diff --git
a/src/main/java/org/apache/sling/feature/cpconverter/handlers/AbstractPolicyParser.java
b/src/main/java/org/apache/sling/feature/cpconverter/handlers/AbstractPolicyParser.java
index 31cd85e..109a3bb 100644
---
a/src/main/java/org/apache/sling/feature/cpconverter/handlers/AbstractPolicyParser.java
+++
b/src/main/java/org/apache/sling/feature/cpconverter/handlers/AbstractPolicyParser.java
@@ -34,9 +34,7 @@ abstract class AbstractPolicyParser extends
AbstractJcrNodeParser<Boolean> {
static final String REP_RESTRICTIONS = "rep:Restrictions";
static final String REP_PRINCIPAL_NAME = "rep:principalName";
-
- private static final String REP_PRIVILEGES = "rep:privileges";
- private static final String[] RESTRICTIONS = new String[] { "rep:glob",
"rep:ntNames", "rep:prefixes", "rep:itemNames" };
+ static final String REP_PRIVILEGES = "rep:privileges";
private static final Pattern typeIndicatorPattern =
Pattern.compile("\\{[^\\}]+\\}\\[(.+)\\]");
@@ -69,16 +67,22 @@ abstract class AbstractPolicyParser extends
AbstractJcrNodeParser<Boolean> {
return expression;
}
- static void addRestrictions(@NotNull AccessControlEntry ace, @NotNull
Attributes attributes) {
- for (String restriction : RESTRICTIONS) {
- String v = extractValue(attributes.getValue(restriction));
-
- if (v != null && !v.isEmpty()) {
- ace.addRestriction(restriction + ',' + v);
+ void addRestrictions(@NotNull AccessControlEntry ace, @NotNull Attributes
attributes) {
+ for (int i = 0; i < attributes.getLength(); i++) {
+ String name = attributes.getQName(i);
+ if (isRestriction(name)) {
+ String v = extractValue(attributes.getValue(name));
+ if (v != null && !v.isEmpty()) {
+ ace.addRestriction(name + ',' + v);
+ }
}
}
}
+ boolean isRestriction(@NotNull String attributeName) {
+ return !(REP_PRINCIPAL_NAME.equals(attributeName) ||
REP_PRIVILEGES.equals(attributeName) || attributeName.startsWith("jcr:"));
+ }
+
AccessControlEntry createEntry(boolean isAllow, @NotNull Attributes
attributes) {
return new AccessControlEntry(isAllow,
Objects.requireNonNull(extractValue(attributes.getValue(REP_PRIVILEGES))),
repositoryPath);
}
diff --git
a/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandler.java
b/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandler.java
index fb5cea6..c87b65e 100644
---
a/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandler.java
+++
b/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandler.java
@@ -72,11 +72,13 @@ public class RepPolicyEntryHandler extends
AbstractPolicyEntryHandler {
String primaryType = attributes.getValue(JCR_PRIMARYTYPE);
if (REP_GRANT_ACE.equals(primaryType) ||
REP_DENY_ACE.equals(primaryType)) {
String principalName =
attributes.getValue(REP_PRINCIPAL_NAME);
- AccessControlEntry acl =
createEntry(operations.get(primaryType), attributes);
+ AccessControlEntry ace =
createEntry(operations.get(primaryType), attributes);
+ // handle restrictions added in jr2 format (i.e. not
located below rep:restrictions node)
+ addRestrictions(ace, attributes);
- processCurrentAcl = aclManager.addAcl(principalName, acl);
+ processCurrentAcl = aclManager.addAcl(principalName, ace);
if (processCurrentAcl) {
- acls.add(acl);
+ acls.add(ace);
} else {
hasRejectedNodes = true;
}
diff --git
a/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPrincipalPolicyEntryHandler.java
b/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPrincipalPolicyEntryHandler.java
index 1872c56..73fe351 100644
---
a/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPrincipalPolicyEntryHandler.java
+++
b/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPrincipalPolicyEntryHandler.java
@@ -45,10 +45,6 @@ public final class RepPrincipalPolicyEntryHandler extends
AbstractPolicyEntryHan
private static final String REP_RESTRICTIONS = "rep:Restrictions";
- private static final String REP_PRINCIPAL_NAME = "rep:principalName";
-
- private static final String REP_PRIVILEGES = "rep:privileges";
-
private static final String REP_PRINCIPAL_POLICY =
"rep:PrincipalPolicy";
private static final String REP_PRINCIPAL_ENTRY = "rep:PrincipalEntry";
@@ -84,7 +80,8 @@ public final class RepPrincipalPolicyEntryHandler extends
AbstractPolicyEntryHan
RepoPath effectivePath = new
RepoPath(attributes.getValue(REP_EFFECTIVE_PATH));
AccessControlEntry ace = new AccessControlEntry(true,
privileges, effectivePath, true);
-
+ // NOTE: nt-definition doesn't allow for jr2-stype
restrictions defined right below the entry.
+ // instead always requires rep:restrictions child node
processCurrentAcl = aclManager.addAcl(principalName, ace);
if (processCurrentAcl) {
aces.add(ace);
@@ -115,5 +112,14 @@ public final class RepPrincipalPolicyEntryHandler extends
AbstractPolicyEntryHan
handler.endElement(uri, localName, qName);
}
}
+
+ @Override
+ boolean isRestriction(@NotNull String attributeName) {
+ if ((REP_EFFECTIVE_PATH.equals(attributeName))) {
+ return false;
+ } else {
+ return super.isRestriction(attributeName);
+ }
+ }
}
}
diff --git
a/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandlerTest.java
b/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandlerTest.java
index 421f627..cfca3de 100644
---
a/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandlerTest.java
+++
b/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandlerTest.java
@@ -32,7 +32,9 @@ import org.junit.Before;
import org.junit.Test;
import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
import java.io.StringReader;
+import java.security.acl.Acl;
import java.util.List;
import static org.junit.Assert.assertEquals;
@@ -43,15 +45,18 @@ import static org.junit.Assert.assertTrue;
public final class RepPolicyEntryHandlerTest {
private RepPolicyEntryHandler handler;
+ private AclManager aclManager;
@Before
public void setUp() {
handler = new RepPolicyEntryHandler();
+ aclManager = new DefaultAclManager();
}
@After
public void tearDown() {
handler = null;
+ aclManager = null;
}
@Test
@@ -198,18 +203,16 @@ public final class RepPolicyEntryHandlerTest {
@Test
public void parseEmptyAcl() throws Exception {
- Extension extension = TestUtils.createRepoInitExtension(handler, new
DefaultAclManager(), "/jcr_root/home/users/system/asd/_rep_policy.xml",
getClass().getResourceAsStream("/jcr_root/home/users/system/asd/_rep_policy.xml".substring(1)),
new ByteArrayOutputStream());
+ Extension extension = TestUtils.createRepoInitExtension(handler,
aclManager, "/jcr_root/home/users/system/asd/_rep_policy.xml",
getClass().getResourceAsStream("/jcr_root/home/users/system/asd/_rep_policy.xml".substring(1)),
new ByteArrayOutputStream());
assertNull(extension);
}
@Test
public void policyAtAuthorizableFolder() throws Exception {
SystemUser s1 = new SystemUser("service1", new
RepoPath("/home/users/system/services/random1"), new
RepoPath("/home/users/system/services"));
-
- AclManager aclManager = new DefaultAclManager();
aclManager.addSystemUser(s1);
- ParseResult result =
parseAndSetRepoInit("/jcr_root/home/groups/g/_rep_policy.xml", aclManager);
+ ParseResult result =
parseAndSetRepoinit("/jcr_root/home/groups/g/_rep_policy.xml", aclManager);
Extension repoinitExtension = result.getRepoinitExtension();
String expected =
@@ -225,12 +228,10 @@ public final class RepPolicyEntryHandlerTest {
public void policyAtGroupNode() throws Exception {
SystemUser s1 = new SystemUser("service1", new
RepoPath("/home/users/system/services/random1"), new
RepoPath("/home/users/system/services"));
Group gr = new Group("testgroup", new
RepoPath("/home/groups/g/HjDnfdMCjekaF4jhhUvO"), new
RepoPath("/home/groups/g"));
-
- AclManager aclManager = new DefaultAclManager();
aclManager.addSystemUser(s1);
aclManager.addGroup(gr);
-
parseAndSetRepoInit("/jcr_root/home/groups/g/HjDnfdMCjekaF4jhhUvO/_rep_policy.xml",
aclManager);
+
parseAndSetRepoinit("/jcr_root/home/groups/g/HjDnfdMCjekaF4jhhUvO/_rep_policy.xml",
aclManager);
}
@Test(expected = IllegalStateException.class)
@@ -238,11 +239,10 @@ public final class RepPolicyEntryHandlerTest {
SystemUser s1 = new SystemUser("service1", new
RepoPath("/home/users/system/services/random1"), new
RepoPath("/home/users/system/services"));
Group gr = new Group("testgroup3", new
RepoPath("/home/groups/g/ouStmkrzT9wCEhtMD9sT"), new
RepoPath("/home/groups/g"));
- AclManager aclManager = new DefaultAclManager();
aclManager.addSystemUser(s1);
aclManager.addGroup(gr);
-
parseAndSetRepoInit("/jcr_root/home/groups/g/ouStmkrzT9wCEhtMD9sT/profile/_rep_policy.xml",
aclManager);
+
parseAndSetRepoinit("/jcr_root/home/groups/g/ouStmkrzT9wCEhtMD9sT/profile/_rep_policy.xml",
aclManager);
}
@Test(expected = IllegalStateException.class)
@@ -250,11 +250,32 @@ public final class RepPolicyEntryHandlerTest {
SystemUser s1 = new SystemUser("service1", new
RepoPath("/home/users/system/services/random1"), new
RepoPath("/home/users/system/services"));
User user = new User("author", new RepoPath("/home/users/a/author"),
new RepoPath("/home/users/a"));
- AclManager aclManager = new DefaultAclManager();
aclManager.addSystemUser(s1);
aclManager.addUser(user);
- parseAndSetRepoInit("/jcr_root/home/users/a/author/_rep_policy.xml",
aclManager);
+ parseAndSetRepoinit("/jcr_root/home/users/a/author/_rep_policy.xml",
aclManager);
+ }
+
+ @Test
+ public void parseJackrabbit2Restrictions() throws Exception {
+ RepoPath repoPath = new
RepoPath("/home/users/system/services/random1");
+ SystemUser systemUser = new SystemUser("service1", repoPath, new
RepoPath("/home/users/system/services"));
+ aclManager.addSystemUser(systemUser);
+
+ String path = "/jcr_root/asd/jr2restrictions/_rep_policy.xml";
+ Extension repoinitExtension = parseAndSetRepoinit(path,
aclManager).getRepoinitExtension();
+ String expected =
+ "create service user service1 with path
/home/users/system/services" + System.lineSeparator() +
+ "set ACL for service1\n" +
+ "allow jcr:read on /asd/jr2restrictions
restriction(rep:glob,*/subtree/*)
restriction(sling:customRestriction,sling:value1,sling:value2)\n" +
+ "end\n";
+
+ String actual = repoinitExtension.getText();
+ assertEquals(expected, actual);
+
+ RepoInitParser repoInitParser = new RepoInitParserService();
+ List<Operation> operations = repoInitParser.parse(new
StringReader(actual));
+ assertFalse(operations.isEmpty());
}
private ParseResult parseAndSetRepoinit(String...systemUsersNames) throws
Exception {
@@ -271,15 +292,14 @@ public final class RepPolicyEntryHandlerTest {
private ParseResult parseAndSetRepoinit(@NotNull SystemUser...systemUsers)
throws Exception {
String path = "/jcr_root/home/users/system/asd/_rep_policy.xml";
- AclManager aclManager = new DefaultAclManager();
for (SystemUser systemUser : systemUsers) {
aclManager.addSystemUser(systemUser);
}
- return parseAndSetRepoInit(path, aclManager);
+ return parseAndSetRepoinit(path, aclManager);
}
@NotNull
- private ParseResult parseAndSetRepoInit(@NotNull String path, @NotNull
AclManager aclManager) throws Exception {
+ private ParseResult parseAndSetRepoinit(@NotNull String path, @NotNull
AclManager aclManager) throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
return new ParseResult(TestUtils.createRepoInitExtension(handler,
aclManager, path, getClass().getResourceAsStream(path.substring(1)), baos), new
String(baos.toByteArray()));
}
diff --git
a/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPrincipalPolicyEntryHandlerTest.java
b/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPrincipalPolicyEntryHandlerTest.java
index fa4e04e..04af9d7 100644
---
a/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPrincipalPolicyEntryHandlerTest.java
+++
b/src/test/java/org/apache/sling/feature/cpconverter/handlers/RepPrincipalPolicyEntryHandlerTest.java
@@ -87,7 +87,7 @@ public final class RepPrincipalPolicyEntryHandlerTest {
String expected =
"create service user service2 with path
/home/users/system/services" + System.lineSeparator() +
"set principal ACL for service2\n" +
- "allow jcr:read on /asd/public
restriction(rep:ntNames,nt:folder,sling:Folder)\n" +
+ "allow jcr:read on /asd/public
restriction(rep:ntNames,nt:folder,sling:Folder)
restriction(sling:customRestriction,customRestrictionValue)\n" +
"end\n";
String actual = repoinitExtension.getText();
diff --git
a/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/home/users/system/services/random2/_rep_principalPolicy.xml
b/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/asd/jr2restrictions/.content.xml
similarity index 62%
copy from
src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/home/users/system/services/random2/_rep_principalPolicy.xml
copy to
src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/asd/jr2restrictions/.content.xml
index 38f5335..0589bcb 100644
---
a/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/home/users/system/services/random2/_rep_principalPolicy.xml
+++
b/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/asd/jr2restrictions/.content.xml
@@ -15,15 +15,5 @@
License for the specific language governing permissions and limitations under
the License.
-->
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0"; xmlns:rep="internal"
- jcr:primaryType="rep:PrincipalPolicy"
- rep:principalName="service2">
- <entry0
- jcr:primaryType="rep:PrincipalEntry"
- rep:privileges="{Name}[jcr:read]"
- rep:effectivePath="/asd/public">
- <rep:restrictions
- jcr:primaryType="rep:Restrictions"
- rep:ntNames="{Name}[nt:folder,sling:Folder]"/>
- </entry0>
-</jcr:root>
+<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0";
xmlns:jcr="http://www.jcp.org/jcr/1.0";
+ jcr:primaryType="sling:Folder"/>
diff --git
a/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/home/users/system/services/random2/_rep_principalPolicy.xml
b/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/asd/jr2restrictions/_rep_policy.xml
similarity index 72%
copy from
src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/home/users/system/services/random2/_rep_principalPolicy.xml
copy to
src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/asd/jr2restrictions/_rep_policy.xml
index 38f5335..852cb01 100644
---
a/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/home/users/system/services/random2/_rep_principalPolicy.xml
+++
b/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/asd/jr2restrictions/_rep_policy.xml
@@ -15,15 +15,12 @@
License for the specific language governing permissions and limitations under
the License.
-->
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0"; xmlns:rep="internal"
- jcr:primaryType="rep:PrincipalPolicy"
- rep:principalName="service2">
- <entry0
- jcr:primaryType="rep:PrincipalEntry"
+<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0"; xmlns:rep="internal"
xmlns:sling="http://sling.apache.org/jcr/sling/1.0";
+ jcr:primaryType="rep:ACL">
+ <allow0
+ jcr:primaryType="rep:GrantACE"
+ rep:principalName="service1"
rep:privileges="{Name}[jcr:read]"
- rep:effectivePath="/asd/public">
- <rep:restrictions
- jcr:primaryType="rep:Restrictions"
- rep:ntNames="{Name}[nt:folder,sling:Folder]"/>
- </entry0>
+ rep:glob="{Name}[*/subtree/*]"
+ sling:customRestriction="{Name}[sling:value1,sling:value2]"/>
</jcr:root>
diff --git
a/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/home/users/system/services/random2/_rep_principalPolicy.xml
b/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/home/users/system/services/random2/_rep_principalPolicy.xml
index 38f5335..d2da38d 100644
---
a/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/home/users/system/services/random2/_rep_principalPolicy.xml
+++
b/src/test/resources/org/apache/sling/feature/cpconverter/handlers/jcr_root/home/users/system/services/random2/_rep_principalPolicy.xml
@@ -15,7 +15,7 @@
License for the specific language governing permissions and limitations under
the License.
-->
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0"; xmlns:rep="internal"
+<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0"; xmlns:rep="internal"
xmlns:sling="http://sling.apache.org/jcr/sling/1.0";
jcr:primaryType="rep:PrincipalPolicy"
rep:principalName="service2">
<entry0
@@ -24,6 +24,7 @@
rep:effectivePath="/asd/public">
<rep:restrictions
jcr:primaryType="rep:Restrictions"
- rep:ntNames="{Name}[nt:folder,sling:Folder]"/>
+ rep:ntNames="{Name}[nt:folder,sling:Folder]"
+ sling:customRestriction="customRestrictionValue"/>
</entry0>
</jcr:root>
